Stopping malware distribution at the source

At Malwarebytes we are a bit obsessed with protecting our users, which causes us to approach our jobs from all sorts of different angles. One of my favorite aspects of this is how we tackle malware right at its source: the servers that deliver it. Our team works around the clock to identify and block the sites pushing exploits and malicious software to our users. Blocking is just one small aspect of this though—what most people don’t realize is the effort we take to clean that malware up so that no one anywhere, whether a user of our software or not, can be infected by it.

Users of MBAM Pro are likely familiar with the IP blocking functionality, but for those of you who aren’t it is fairly simple. When a user attempts to connect to a site that we know is hosting malware, MBAM blocks the connection from being made. This prevents drive-by exploits from running, payloads from being delivered, and communication to botnet controllers from being possible. Our database of malicious servers is updated not just daily, but multiple times throughout the day as new threats are discovered. Our researchers have round the clock coverage, so it does not take long between when a malicious server goes up and when we block it.

Maintaining the list of malicious servers is a complicated task, and not just for technological reasons. When we first encounter malware hosted on a site we have a judgment call to make. There are a lot of factors that go into our decision—we have to balance the needs of our users (namely, not to be infected) against the negative repercussions that blacklisting brings. This is made easier by the fact that our mission is very clear—it is our job to protect our users, not from abstract threats like damaging speech or knowledge we may not agree with, but the real and measurable threat of malicious software. We’re here to protect, not to babysit, and take a bit of pride in that fact. Even still we know that adding a domain to our list is not something to be taken lightly, and we do everything we can to prevent it from even needing to happen.

While a lot of servers are very clearly dedicated to malicious activity, many of the people distributing malware have no intention of doing so or even know they’re doing it. Malware distributors take advantage of common security flaws and outdated software to piggyback on real websites in order to hit as wide of an audience as possible. Outdated software, custom software with flawed security, incorrect installation parameters or flawed permissions—all of these and more can lead to a website unknowingly pushing malware to it’s users. If this site happens to use a shared resource—through a hosting company that has multiple sites on their machine, or a CDN that relies on shared endpoints—then it’s making the whole neighborhood look like a threat. In these cases the “malicious” server is actually as much of a victim as the visitors themselves, with the real bad guy not really caring whether or not it gets blacklisted.

As important as this all is, there’s one other huge reason why we put so much effort into takedowns and cleanups—blacklisting only protects our users! If someone isn’t using MBAM Pro, then they aren’t being protected. This functionality is a great tool for our users, and it keeps them safe from threats before those threats are even seen—but we’re arrogant enough to want to protect the world. Obviously we’d love it if everyone used our software (it would be such a beautiful, and significantly more secure, world to live in…sigh), but until that happens we have to work in other ways to keep people safe.

This is why we don’t just stop our users from connecting to to malicious servers, we get them taken down or cleaned up. As our researchers find malware they also work to clean that malware up. We have extensive relationships with data centers, web hosts and law enforcement world wide, and we establish new relationships all the time. In the vast majority of cases blacklisting is never needed, as the problem gets cleaned up almost immediately. It’s only when we believe our users are at risk that we take the action of blocking a site. Whether it’s notifying a small business owner that their site has been exploited or telling a datacenter that they have multiple machines being used for criminal activities, we seriously just love making the internet a safer place for everyone.

May 9, 2012 - At Malwarebytes we are a bit obsessed with protecting our users, which causes us to approach our jobs from all sorts of different angles. One of my favorite aspects of this is how we tackle malware right at its source: the servers that deliver it. Our team works around the clock to identify and block...

May 24, 2012 - Back in 2009, I wrote about a telephony based scam that had gained momentum, and which sadly appears to have grown since then — invading other countries and scamming more victims. Since then, various other people, including my friends at Microsoft, have been investigating the companies involved, to try and both raise awareness and shut...

June 29, 2012 - This week, there is a lot of media hype over emails being sent to users of the Royal Bank of Scotland and NatWest because of severe IT issues making it impossible for users to access their accounts online. The emails offer users the ability to log-in to their accounts and provide a link to the...

July 3, 2012 - “Over the years, phishing attacks have changed, as with most things, and have been segmented into different groups of variants.” –Me If there is one thing you can say about cybercriminals, it’s that they are adaptive. As I mentioned last week, phishing attacks have evolved from just fake web pages and official looking emails to...

July 13, 2012 - Over the last few weeks I have described numerous methods of phishing attacks and a few examples what they do or may look like. In this final installment, I will shed some light on how phishing attacks are done and a few real world examples of techniques used by Phishing scammers. Finally, I will discuss...